One of the cruxes of the Sherlock protocol design is the alignment between stakers and security analysts. This alignment is seen in many other "financial" designs such as venture capital firms or hedge funds. In Sherlock's case, stakers are “LPs” who are not experts in a given field but have capital they want to deploy. Security analysts are like “hedge fund analysts” who have expertise in a certain field but don’t have the same level of capital or risk profile as LPs. The way these two parties coordinate in a traditional finance setup is through something like a “2 and 20” model, where analysts allocate the LP capital and receive 20% of the gains and 2% of the total value of the capital every year. Sherlock has taken after the spirit of this cooperation.
For each protocol covered by Sherlock, 10-20% of the premium payments will be earmarked for the security team responsible for that protocol (as opposed to the staker pool). These fees will be "vested" for a certain amount of time. If no hacks occur on the relevant protocol during the specified vesting period, then the fees are released to the security team as incentive compensation.
There is some nuance when a hack occurs during a vesting period: the pricing of the protocol’s coverage matters. If a security expert or team prices a specific protocol at 2%, there is an implied “acceptable” hack amount baked in to that 2%. If the value of the hack comes in below that implied “acceptable” amount, then the security team will still have claim to the majority of the tokens in vesting. If the hack comes in above the value implied in the 2% pricing, then the slashing of the vesting compensation can be very severe, to the point where the entire compensation pool can be drained in a scenario where the hack comes in much, much higher than the implied “acceptable” amount.

Who would want to sign up for the security team?

Being a part of the Sherlock security team is not for everyone. If someone has a very low risk tolerance for the variability of their compensation, this role may not be right for them. However, Sherlock has seen that there is a meaningful subset of the security community that is looking for a role exactly like this. Instead of having passive participation in preventing hacks, Sherlock security analysts get much more agency in securing one or many important DeFi protocols, and the hundreds of millions or billions of dollars locked in those protocols. The lead security expert (and the supporting security team members) have full responsibility for the security of a protocol. And of course, they have a massive interest in the outcome.
If a Sherlock security analyst decides to take on a $1Bn policy at a protocol, they will likely have $2M-$4M of compensation paid out and/or at stake after just one year (10-20% of a 2% annual coverage premium on a $1Bn pool). If they keep the protocol safe during the vesting period, that $2M-$4M accrues directly to them (and their team, if any). Aside from being a black-hat hacker, there is no other opportunity in the security landscape that compares to the potential earnings of a Sherlock security expert.
Last modified 1mo ago